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Abstract We present a program synthesis method based on unfold/fold 
transformation rules which can be used for deriving terminating definite 
logic programs from formulas of the Weak Monadic Second Order theory 
of one successor (WSIS). This synthesis method can also be used as a 
proof method which is a decision procedure for closed formulas of WSIS. 
We apply our synthesis method for translating CLP(WSIS) programs 
into logic programs and we use it also as a proof method for verifying 
safety properties of infinite state systems. 



1 Introduction 

The Weak Monadic Second Order theories of k successors (WSkS) are theories 
of the second order predicate logic which express properties of finite sets of finite 
strings over a /c-symbol alphabet (see [?] for a survey). Their importance relies 
on the fact that they are among the most expressive theories of predicate logic 
which are decidable. These decidability results were proved in the 1960's [?,?], 
but they were considered as purely theoretical results, due to the very high 
complexity of the automata-based decision procedures. 

In recent years, however, it has been shown that some Monadic Second Order 
theories can, in fact, be decided by using ad-hoc, efficient techniques, such as 
BDD's and algorithms for finite state automata. In particular, the MONA system 
implements these techniques for the WSIS and WS2S theories [?]. 

The MONA system has been used for the verification of several non-trivial 
finite state systems [?,?]. However, the Monadic Second Order theories alone 
are not expressive enough to deal with properties of infinite state systems and, 
thus, for the verification of such systems alternative techniques have been used, 
such as those based on the embedding of the Monadic Second Order theories 
into more powerful logical frameworks (see, for instance, [?]). 

In a previous paper of ours [?] we proposed a verification method for infinite 
state systems based on CLP(WSkS), which is a constraint logic programming 
language resulting from the embedding of WSkS into logic programs. In order 
to perform proofs of properties of infinite state systems in an automatic way 
according to the approach we have proposed, we need a system for constraint 
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logic programming which uses a solver for WSkS formulas and, unfortunately, 
no such system is available yet. 

In order to overcome this difficulty, in this paper we propose a method for 
translating CLP(WSIS) programs into logic programs. This translation is per- 
formed by a two step program synthesis method which produces terminating 
definite logic programs from WSIS formulas. Step 1 of our synthesis method 
consists in deriving a normal logic program from a WSIS formula, and it is 
based on a variant of the Lloyd- Topor transformation [?]. Step 2 consists in 
applying an unfold/fold transformation strategy to the normal logic program 
derived at the end of Step 1, thereby deriving a terminating definite logic pro- 
gram. Our synthesis method follows the general approach presented in [?,?]. 
We leave it for future research the translation into logic programs starting from 
general CLP(WSkS) programs. 

The specific contributions of this paper are the following ones. 

(1) We provide a synthesis strategy which is guaranteed to terminate for any 
given WSIS formula. 

(2) We prove that, when we start from a closed WSIS formula our synthesis 
strategy produces a program which is either (i) a unit clause of the form / <—, 
where / is a nullary predicate equivalent to the formula ip, or (ii) the empty 
program. Since in case (i) f is true and in case (ii) (p is false, our strategy is also 
a decision procedure for WSIS formulas. 

(3) We show through a non-trivial example, that our verification method 
based on CLP (WSIS) programs is useful for verifying properties of infinite state 
transition systems. In particular, we prove the safety property of a mutual ex- 
clusion protocol for a set of processes whose cardinality may change over time. 
Our verification method requires: (i) the encoding into WSIS formulas of both 
the transition relation and the elementary properties of the states of a transition 
system, and (ii) the encoding into a CLP(WSIS) program of the safety property 
under consideration. Here we perform our verification task by translating the 
CLP(WSIS) program into a definite logic program, thereby avoiding the use of 
a solver for WSIS formulas. The verification of the safety property has been 
performed by using a prototype tool built on top of the MAP transformation 
system [?]. 

2 The Weak Monadic Second Order Theory of One 
Successor 

We will consider a first order presentation of the Weak Monadic Second Order 
theory of one successor (WSIS). This first order presentation consists in writing 
formulas of the form n e 5, where G is a first order predicate symbol (to be 
interpreted as membership of a natural number to a finite set of natural num- 
bers), instead of formulas of the form S{n), where 5 is a predicate variable (to 
be interpreted as ranging over finite sets of natural numbers). 

We use a typed first order language, with the following two types: nat, de- 
noting the set of natural numbers, and set, denoting the set of the finite sets of 
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natural numbers (for a brief presentation of the typed first order logic the reader 
may look at [?]). The alphabet of WSIS consists of: (i) a set Ivars of individual 
variables N, Ni, N^, . ■ ■ of type nat, (ii) a set Svars of set variables S, Si, S2, ■ ■ ■ 
of type set, (iii) the nullary function symbol {zero) of type nat, and the unary 
function symbol s {successor) of type nat — > nat, and (iv) the binary predicate 
symbols < of type nat x nat, and S of type nat x set. Ivars U Svars is ranged 
over by X, Xi,X2, ■ . . The syntax of WSIS is defined by the following grammar: 

Individual terms: n ::= | A'' | s(n) 

Atomic formulas: A ::= ni<n2 | nGS 

Formulas: ip ::= A \ -up \ ipiA(p2 | 3N (p \ 3S (p 

When writing formulas we feel free to use also the connectives V, — >, and the 
universal quantifier V, as shorthands of the corresponding formulas with ^, A, 
and 3. Given any two individual terms ni and 712, we will write the formulas 
ni=n2, n\^n2, and n\<n2 as shorthands of the corresponding formulas using 
<. Notice that, for reasons of simplicity, wc have assumed that the symbol < is 
primitive, although it is also possible to define it in terms of e [?]. 

An example of a WSIS formula is the following formula /x, with free variables 
N and S, which expresses that N is the maximum number in a finite set S: 

11: NeS A^3Ni{NieS A^Ni<N) 
The semantics of WSIS formulas is defined by considering the following typed 
interpretation J\f: 

(i) the domain of the type nat is the set Nat of the natural numbers and the 
domain of the type set is the set Pfin{Nat) of all finite subsets of Nat; 

(ii) the constant symbol is interpreted as the natural number and the function 
symbol s is interpreted as the successor function from Nat to Nat; 

(iii) the predicate symbol < is interpreted as the less-or-equal relation on natural 
numbers, and the predicate symbol G is interpreted as the membership of a 
natural number to a finite set of natural numbers. 

The notion of a variable assignment a over a typed interpretation is analo- 
gous to the untyped case, except that a assigns to a variable an element of the 
domain of the type of the variable. The definition of the satisfaction relation 
I \=a (p, where J is a typed interpretation and a is a variable assignment is also 
analogous to the untyped case, with the only difference that when we interpret 
an existentially quantified formula we assume that the quantified variable ranges 
over the domain of its type. We say that a formula ip is true in an interpretation 
/, written as / |= lyj, iff / |=o- (p for all variable assignments a. The problem 
of checking whether or not a WSIS formula is true in the interpretation J\f is 
decidable [?]. 

3 Translating WSIS Formulas into Normal Logic 
Programs 

In this section we illustrate Step 1 of our method for synthesizing definite pro- 
grams from WSIS formulas. In this step, starting from a WSIS formula, we de- 
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rive a stratified normal logic program [?] (simply called stratified programs) by 
applying a variant of the Lloyd- Topor transformation, called typed Lloyd-Topor 
transformation. Given a stratified program P, we denote by M[P) its perfect 
model (which is equal to its least Herhrand model if P is a definite program) [?] . 

Before presenting the typed Lloyd-Topor transformation, we need to intro- 
duce a definite program, called NatSet, which axiomatizes: (i) the natural num- 
bers, (ii) the finite sets of natural numbers, (iii) the ordering on natural numbers 
(<), and (iv) the membership of a natural number to a finite set of natural num- 
bers (g). We represent: (i) a natural number k (> 0) as a ground term of the form 
s'^(O), and (ii) a set of natural numbers as a finite, ground list [60,61, .. . ,bm] 
where, for i = 0, . . . , m, we have that bi is either y or n. A number k belongs 
to the set represented by [60, 61, ... , 6™] iff bk = y. Thus, the finite, ground lists 
[60, 61, ... , bjn] and [60, 61, . . . , 6m, n, . . . , n] represent the same set. In particular, 
the empty set is represented by any list of the form [n, ...,n]. The program 
NatSet consists of the following clauses (we adopt infix notation for < and S): 
nat{0)^ 0<N ^ 

nat{s{N)) ^ nat{N) s{Ni)<s{N2) ^ Ni<N2 

set{[])^ Oe[y\S]^ 
set{[Y\S]) set{S) s{N) e [B\S] ^ N e S 

set{[n\S]) ^ set{S) 

Atoms of the form nat{N) and set{S) are called type atoms. Now we will establish 
a correspondence between the set of WSIS formulas which are true in Af and the 
set of the so-called explicitly typed WSIS formulas which are true in the least 
Herbrand model M{NatSet) (see Theorem below). 

Given a WSIS formula ip, the explicitly typed WSIS formula corresponding 
to 95 is the formula ipr constructed as follows. We first replace the subformulas 
of the form 3N if) by 3A^ {nat{N) A ip) and the subformulas of the form 3S ip by 
35* {set{S) Alp), thereby getting a new formula (prj where every bound (individual 
or set) variable occurs in a type atom. Then, we get: 

(fr : nat{Ni) A ... A nat{Nh) A set{Si) A ... A set{Sk) A ipri 
where Ni, . . . , Nh, Si, . . . , Sk are the variables which occur free in (p. 

For instance, let us consider again the formula fi which expresses that TV is 
the maximum number in a set S. The explicitly typed formula corresponding to 
fi is the following formula: 

jir ■■ nat{N) Aset{S) ANeS A^3Ni{nat{Ni) ANieS A^Ni<N) 

For reasons of simplicity, in the following TheoremQlwe identify: (i) a natural 
number A: (> 0) in Nat with the ground term 5*^(0) representing that number, 
and (ii) a finite set of natural numbers in Pfin{Nat) with any finite, ground list 
representing that set. By using these identifications, we can view any variable 
assignment over the typed interpretation A/" also as a variable assignment over 
the untyped interpretation M (NatSet) (but not vice versa). 

Theorem 1. Let ip he a, WSIS formula and let pr be the explicitly typed 
formula corresponding to ip. For every variable assignment a over J\f, 

J\f (p iff M (NatSet) pr 
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Proof. The proof proceeds by induction on the structure of the formula ip. 

(i) Suppose that (p is of the form ni <n2. By the definition of the satisfaction 
relation, \=a ni < n2 iff the natural number a(ni) is less or equal than 
the natural number cr (712). By the definition of least Herbrand model and by 
using the clauses in NatSet which define <, o'(ni) is less or equal than <7{n2) 
iff M{NatSet) \= cr(ni) < (7(71.2) (here we identify every natural number n with 
the ground term s"(0)). It can be shown that M{NatSet) \= nat(a{ni)) and 
M{NatSet) ^ nat{(7{n2)). Thus, M{NatSet) ^ cr(ni) < (7(71.2) iS M (NatSet) 
nat{ni) A nat{n2) A ni < n2. Now, the term ni is either of the form s™^(0) or 
of the form s™^{Ni), where ml is a natural number. Similarly, the term 77.2 is 
either of the form s™^(0) or of the form s™^(A^), where m2 is a natural number. 
We consider the case where rti is s™^(A^i) and rt2 is s™^(A^2)- The other cases 
are similar and we omit them. It can be shown that, for all natural numbers m, 
M{NatSet) h<T nat{s"^{N)) iff M{NatSet) ^„ nat{N). Thus, M{NatSet) ^rr 
nat(s'"i(Afi))Anai(s™2(jV2))As"i(iVi)<s"2(iV2) ]S.M{NatSet) K nat{Ni) h 
nat{N2) As"'^{Ni)<s"''^{N2), that is, M{NatSet) (ni<n2)r. 

(ii) The case where Lp is of the form n€ S \s similar to Case (i) . 

(iii) Suppose that ip is of the form -ii/;. By the definition of the satisfaction 
relation and the induction hypothesis, N \=a iff M{NatSet) \=a ^(V'r)- 
Since ipr is of the form ai{Xi) A ... A ak{Xk) A iprj, where Xi, . . . , Xk are the 
free variables in ip and ai{Xi), . . . ,ak{Xk) are type atoms, by logical equiva- 
lence, we get: M{NatSet) -.(-iAr) iff M{NatSet) {ai{Xi) A ... A ak{Xk) A 
-i(V'j))) V -^{ai{Xi) A ... A ak{Xk)). Finally, since for all variable assignments cr, 
M{NatSet) ai{Xi) A ... A ak{Xk), we have that M{NatSet) -^{ipr) iff 
M{NatSet) (ai(Xi) A ... A afc(Xfc) A ^(t^,,)), that is, M{NatSet) {-^iP)t 
(to see this, note that ^{ip-q) is equal to {-^ip)n). 

(iv) The case where ip is of the form ipi A 7/^2 is similar to Case (iii). 

(v) Suppose that is of the form 3iVi t/j. By the definition of the satisfaction 
relation and by the induction hypothesis, N |=o- 3A^i ip iff there exists ni in Nat 
such that M{NatSet) \=a[Ni^ni] V'r- Since ipr is of the form nat{Ni) A ... A 
nat{Nh) A set{Si) A ... A set{Sk) A t/",,, where TVi, . . . , A'/j, Si, . . . ,Sk are the free 
variables in i/), we have that: 

there exists ni in TVai such that M{NatSet) \=cy[Ni^ni] i'r 
iff M{NatSet) 37Vi (?iat(iVi) A ... A nat{Nh) A set(S'i) A ... A se<(5fc) A ipr,) 
iff (by logical equivalence) M{NatSet) Y=a nat(N2) A ... A nat{Nh) A set(5i) A 
. . . A sef(5fc) A {3Ni nat{Ni) A -0^) 

iff (by definition of explicitly typed formula) M (NatSet) (3iVi Tp)r. 

(vi) The case where ip is of the form BSip is similar to Case (v). □ 

As a straightforward consequence of Theorem ^ we have the following result. 

Corollary 1. For every closed WSIS formula ip, J\f ^ ip iS M{NatSet) |= ipr- 

Notice that the introduction of type atoms is indeed necessary, because there 
are WSIS formulas (p such that \^ ip and M{NatSet) ^ ip. For instance, Af \= 
V7Vi3iV2 A^i < iV2 and M{NatSet) ^ \fNi3N2Ni < N2. Indeed, for a variable 
assignment a over M (NatSet) which assigns [] to A^i, we have M (NatSet) 
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3N2 Ni<N2. (Notice that a is not a variable assignment over J\f because [ ] is 
not a natural number.) 

Now we present a variant of the method proposed by Lloyd and Topor [?] , 
called typed Lloyd- Topor transformation, which we use for deriving a stratified 
program from a given WSIS formula (f. We need to consider a class of formulas 
of the form: A <— f3, called statements, where A is an atom, called the head of 
the statement, and is a formula of the first order predicate calculus, called the 
body of the statement. In what follows we write C[y] to denote a formula where 
the subformula 7 occurs as an outermost conjunct, that is, C['y] = Vi ^ 7 ^ V'2 
for some subformulas Vi and '^2- 



The Typed Lloyd- Topor Transformation. 

We are given in input a set of statements, where: (i) we assume without loss of 
generality, that the only connectives and quantifiers occurring in the body of the 
statements are A, and 3, and (ii) X, Xi,X2, . ■ . denote either individual or set 
variables. 

We perform the following transformation (A) and then the transformation (B): 

(A) We repeatedly apply the following rules A.1-A.4 until a set of clauses is 
generated: 

(A.l) A ^ C[— /] is replaced hy A ^ C[7]. 

(A.2) A ^ C[-.(7 A 6)] is replaced by A ^ C[-^newp{Xi, Xk)] 

newp{Xi, Xk) 7 A ^ 

where newp is a new predicate and Xi,. . . , Xk are the variables which occur 
free in 7 A (5. 

(A.3) A ^ C[-^3X 7] is replaced hy A^ C[-^newp{Xi, Xk)] 

newp{Xi, Xk) <- 7 

where newp is a new predicate and Xi, . . . , Xk are the variables which occur free 
in 3X7. 

(A.4) A ^ C[3X-/] is replaced hy A ^ C[y{X/Xi}] 
where Xi is a new variable. 

(B) Every clause >1 <— G is replaced by A ^ Gr- 



Given a WSIS formula (p with free variables Xi, . . . , Xn, we denote by Cls{f, ipr) 
the set of clauses derived by applying the typed Lloyd- Topor transformation 
starting from the singleton {f{Xi, . . . , X„) <— ip}, where / is a new n-ary pred- 
icate symbol. By construction, NatSet U Cls{f, ipr) is a stratified program. We 
have the following theorem. 

Theorem 2. Let ip he a WSIS formula with free variables X^, .... X,, and let 
ipr be the explicitly typed formula corresponding to tp. For all ground terms 
ti, . . . ,tn, we have that: 
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M{NatSet) h Vr{Xi/h, . . . ,X„/t„} iff 
M{NatSet U Cls{f, ipr)) h /(^i, •■■,*«) 

Proof. It is similar to the proofs presented in [?,?] and we omit it. 

From Theorems m and [21 we have the following corollaries. 

Corollary 2. For every WSIS formula ip with free variables Xi,. . . ,X„, and 
for every variable assignment a over the typed interpretation A/", 

iff M{NatSet U Clsif, ^r)) h f{^{Xi), a(X„)) 

Corollary 3. For every closed WSIS formula (p, 

M^ipiS M{NatSet U Cls{f, pr)) h / 

Let us consider again the formula fj, we have considered above. By applying the 
typed Lloyd- Topor transformation starting from the singleton {max{S, N) ^ ^} 
we get the following set of clauses Cls{max, fir)- 

max{S,N) ^ nat{N) A set{S) A N eS A ^newp{S, N) 
newp{S,N) ^ nat{N) A nat{Ni) A set{S) A NiES A ^Ni<N 

Unfortunately, the stratified program NatSet\JCls{f, (pr) derived from the single- 
ton {f{Xi, . . . , Xn) ^ ip} is not always satisfactory from a computational point 
of view because it may not terminate when evaluating the query f{Xi, . . . , Xn) 
by using SLDNF resolution. (Actually, the above program Cls{max, fir) which 
computes the maximum number of a set, terminates for all ground queries, but 
in Section 13 we will give an example where the program derived at the end of 
the typed Lloyd- Topor transformation does not terminate.) Similar termination 
problems may occur by using tabled resolution [?], instead of SLDNF resolution. 

To overcome this problem, we apply to the program NatSet U Cls{f,ipr) 
the unfold/fold transformation strategy which we will describe in Sectional In 
particular, by applying this strategy we derive definite programs which terminate 
for all ground queries by using LD resolution (that is, SLD resolution with the 
leftmost selection rule). 

4 The Transformation Rules 

In this section we describe the transformation rules which we use for transforming 
stratified programs. These rules are a subset of those presented in [?,?], and 
they are those required for the unfold/fold transformation strategy presented in 
Sectional 

For presenting our rules we need the following notions. A variable in the 
body of a clause C is said to be existential iff it does not occur in the head of 
C. The definition of a predicate p in a program P, denoted by Def{p, P), is the 
set of the clauses of P whose head predicate is p. The extended definition of a 



7 



predicate p in a program P, denoted by Def*{p, P), is the union of the definition 
of p and the definitions of all predicates in P on which p depends. (See [?]for 
the definition of the depends on relation.) A program is propositional iff every 
predicate occurring in the program is nullary. Obviously, if P is a propositional 
program then, for every predicate p, M{P) \= p is decidable. 

A transformation sequence is a sequence Pa.. .. ,Pn of programs, where for 
0</e<n— 1, program Pk+i is derived from program Pk by the application of one 
of the transformation rules R1-R4 listed below. For 0<fc<n, we consider the set 
DefSj^ of the clauses introduced by the following rule Rl during the construction 
of the transformation sequence Pq,. . . ,Pk. 

When considering clauses of programs, we will feel free to apply the following 
transformations which preserve the perfect model semantics: 

(1) renaming of variables, 

(2) rearrangement of the order of the literals in the body of a clause, and 

(3) replacement of a conjunction of literals the form L A L in the body of a 
clause by the literal L. 

Rule Rl. Definition. We get the new program Pk+i by adding to program Pk 
a clause of the form newp{Xi, . . . , Xr) <— ii A . . . A Lm, where: (i) the predicate 
newp is a predicate which docs not occur in Po U Defs),., and (ii) Xi, . . . , Xr are 
distinct (individual or set) variables occurring in ii A ... A Lm- 

Rule R2. Unfolding. Let C be a renamed apart clause in Pk of the form: 
if <— Gi A L A G2, where L is either the atom A or the negated atom -lA. Let 
Hi <— Pi, . . . , Hm <— Bm, with m>0, be all clauses of program Pk whose head 
is unifiable with A and, for j = 1, . . . ,m, let the most general unifier of A 
and Hj. We consider the following two cases. 

Case 1: L is ^. By unfolding clause C w.r.t. A we derive the new program 
Pfc+i = {Pk - {C}) U {{H ^GiABiA G2)^i, . . . , (P ^ d A P„ A G2)'dm}. 
In particular, if m = 0, that is, if we unfold C w.r.t. an atom which is not unifiable 
with the head of any clause in Pk, then we derive the program Pfe+i by deleting 
clause C. 

Case 2: L is -'A. Assume that: (i) A = Hi'di = ■■■ = Hm'dm, that is, for 
j = 1, . . . , m, A is an instance of Hj, (ii) for j = 1, . . . , m, Hj <— Bj has no 
existential variables, and (iii) Qi V . . . VQr, with r > 0, is the disjunctive normal 
form of GiA-'(Pit?iV. . .VPmt?m)AG2. By unfolding clause G w.r.t. -^A we derive 
the new program Pk+i = {Pk - {G}) U {Gi, . . . , Cm}, where for j = 1, . . . , r, Cj 
is the clause H ^— Qj. 

In particular: (i) if m = 0, that is, A is not unifiable with the head of any clause 
in Pk, then we get the new program Pk+i by deleting ^A from the body of clause 
G, and (ii) if for some j € {1, . . . , m}, Bj is the empty conjunction, that is, A is 
an instance of the head of a unit clause in Pk, then we derive Pfe+i by deleting 
clause G from Pfe. 

Rule R3. Folding. Let G : P ^ Gi A Bi9 A G2 be a renamed apart clause 
in Pk and D : Newp ^ P be a clause in Defs^.. Suppose that for every ex- 
istential variable X of D, we have that X'd is a variable which occurs neither 
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in {H,Gi,G2} nor in the term Yd, for any variable Y occurring in B and dif- 
ferent from X. By folding clause C using clause D we derive the new program 
Pk+i = [Pk - {C}) U{H^GiA Newp ^9 A G2}. 

Rule R4. Prepositional Simplification. Let p be a predicate such that 
Def*{p, Pk) is propositional. If M{Def*{p,Pk)) |= p then we derive Pk+i = 
{Pk ~ Def{p,Pk)) U {p If M{Der{p,Pk)) h then we derive Pk+i = 
{Pk-Defip,Pk)). 

Notice that we can check whether or not M{P) \= p holds by applying pro- 
gram transformation techniques [?] and thus, Rule R4 may be viewed as a derived 
rule. 

The transformation rules R1-R4 we have introduced above, are collectively 
called unfold/fold transformation rules. We have the following correctness result, 
similar to [?]. 

Theorem 3. [Correctness of the Unfold/Fold Transformation Rules] 

Let us assume that during the construction of a transformation sequence Pq, ■ • ■ , 
P„, each clause of Defs„ which is used for folding, is unfolded (before or after 
its use for folding) w.r.t. an atom whose predicate symbol occurs in Pq. Then, 

Af (Po U DefsJ = MiPn). 

Notice that the statement obtained from Theorem El by replacing 'atom' by 
'literal', does not hold [?]. 

5 The Unfold/Fold Synthesis Method 

In this section we present our program synthesis method, called unfold/fold syn- 
thesis method, which derives a definite program from any given WSIS formula. 
We show that the synthesis method terminates for all given formulas and also 
the derived programs terminate according to the following notion of program 
termination: a program P terminates for a query Q iff every SLD-derivation of 
P U Q} via any computation rule is finite. 

The following is an outline of our unfold/fold synthesis method. 



The Unfold/Fold Synthesis Method. 

Let be a WSIS formula with free variables Xi,...,Xn and let (fr be the 
explicitly typed formula corresponding to ip. 

Step 1. We apply the typed Lloyd- Topor transformation and we derive a set 
Cls{f, ifr) of clauses such that: (i) / is a new n-ary predicate symbol, (ii) NatSet 
UCls{f, (fir) is a stratified program, and (iii) for all ground terms ti, . . . ,tn, 
(1) M{NatSet) h iPr{Xi/ti, . . . ,X„/t„} iff 

M{NatSet U Cls{f, <fr)) h ■■■,tn) 
Step 2. We apply the unfold/fold transformation strategy (see below) and from 
the program NatSetU Cls{f, ipr) we derive a definite program TransfP such that, 
for all ground terms ti, . . . ,tn. 
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(2.1) M{NatSetUCls{f,^r)) ^ fih, . . . ,t,,) iS M{TransfP) ^ /{h, . . . ,1^); 

(2.2) TransfP terminates for the query /(ii, . . . , i„). 

In order to present the unfold/fold transformation strategy which we use for 
realizing Step 2 of our synthesis method, we introduce the following notions of 
regular natset-typed clauses and regular natset-typed definitions. 

We say that a literal is linear iff each variable occurs at most once in it. 
The syntax of regular natset-typed clauses is defined by the following grammar 
(recall that by N we denote individual variables, by S we denote set variables, 
and by X,Xi,X2, ... we denote either individual or set variables): 

Head terms: h :■= \ s{N) \ [] \ [y\S] \ [n\S] 

Clauses: C p(hi, . . . ,hk) ^ \ pi{hi, . . . ,hk) P2{Xi, . . . , Xm) 
where for every clause C, (i) both hd{C) and hd[C) are Hnear atoms, and 
(ii) {Xi, . . . , Xm} C vars{hi, . . . , hk) (that is, C has no existential variables). A 
regular natset-typed program is a set of regular natset-typed clauses. 

The reader may check that the program NatSet presented in Section is 
a regular natset-typed program. The following properties are straightforward 
consequences of the definition of regular natset-typed program. 

Lemma 1. Let P be a regular natset-typed program. Then: 

(i) P terminates for every ground query p{ti, . . . , t„) with n > 0; 

(ii) If p is a nullary predicate then Def*{p,P) is propositional. 



Terms: t 

Type atoms: T 

Literals: L 

Definitions: D 



The syntax of natset-typed definitions is given by the following grammar: 
Individual terms: n ::= | TV | s(n) 

n I S 

nat{N) I set{S) 
p{ti,...,tk) I -np{ti,...,tk) 
p{Xi, ...,Xk)^TiA...ATrALiA...AL^ 

where for all definitions D, vars{D) C vars{Ti A ... A T^)- 

A sequence Di, . . . ,Ds of natset-typed definitions is said to be a hierar- 
chy iff for i — l,...,s the predicate appearing in hd{Di) does not occur in 
Di, . . . , Di-i,bd{Di). Notice that in a hierarchy of natset-typed definitions, any 
predicate occurs in the head of at most one clause. 

One can show that given a WSIS formula ip the set Cls{f, ipr) of clauses de- 
rived by applying the typed Lloyd- Topor transformation is a hierarchy Di, . . . ,Ds 
of natset-typed definitions and the last clause Dg is the one defining /. 
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The Unfold/Fold Transformation Strategy. 

Input: (i) A regular natset-typed program P where for each nullary predicate 
p, Def*{p, TransfP) is either the empty set or the singleton {p <—}, and (ii) a 
hierarchy Di, . . . , Dg of natset-typed definitions such that no predicate occurring 
in P occurs also in the head of a clause in Di, . . . , Ds- 

Output: A regular natset-typed program TransfP such that, for all ground terms 

^1 5 * • * 5 ) 

(2.1) M(P U{Di,..., As}) h. iS M (TransfP) ^ f{ti,...,tny, 

(2.2) TransfP terminates for the query f{ti, . . . ,tn)- 



TransfP := P; Defs := ID; 

FOR i = 1, . . . , S DO 

Defs := Defs U {A}; InDefs := {A}; 

By the definition rule we derive the program TransfP U InDefs . 
WHILE InDefs ^ DO 

(1) Unfolding. From program TransfP U InDefs we derive TransfPU U by: (i) ap- 
plying the unfolding rule w.r.t. each atom occurring positively in the body of a 
clause in InDefs, thereby deriving TransfP U Ui, then (ii) applying the unfolding 
rule w.r.t. each negative literal occurring in the body of a clause in Ui, thereby 
deriving TransfPU U2, and, finally, (iii) applying the unfolding rule w.r.t. ground 
literals until we derive a program TransfP U U such that no ground literal occurs 
in the body of a clause of U. 

(2) Definition- Folding. From program TransfP U U we derive TransfP U F U 
NewDefs as follows. Initially, NewDefs is the empty set. For each non-unit clause 
C: H ^ B inU, 

(i) we apply the definition rule and we add to NewDefs a clause of the form 
newp{Xi, . . . , Xk) <— B, whore Xi, . . . , Xk are the non-cxistcntial variables oc- 
curring in B, unless a variant clause already occurs in Defs, modulo the head 
predicate symbol and the order and multiplicity of the literals in the body, and 

(ii) we replace C by the clause derived by folding C w.r.t. B. The folded clause 
is an element of F. 

No transformation rule is applied to the unit clauses occurring in U and, there- 
fore, also these clauses are elements of F . 

(3) TransfP := TransfP U F; Defs := Defs U NewDefs; InDefs := NewDefs 

END WHILE; 

Propositional Simplification. For each predicate p such that Def*{p, TransfP) is 
propositional, we apply the propositional simplification rule and 
if M (TransfP) \= p 

then TransfP := (TransfP - Def(p, TransfP)) U {p ^} 
else TransfP := (TransfP - Def(p, TransfP)) 

END FOR 
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The reader may verify that if we apply the unfold/fold transformation strat- 
egy starting from the program NatSet together with the clauses Cls{max, fir) 
which we have derived above by applying the typed Lloyd- Topor transformation, 
we get the following final program: 

max{[j\S],0) ^ newl(S') 
max([Y\sis{N)) max{S,N) 
max{[TL\S], s{N)) ^ max{S,N) 
newl{[]) <— 

Tie?/;l([n|iS']) ^ newl{S) 

To understand the first clause, recall that the empty set is represented by any list 
of the form [n, . . . , n] . A more detailed example of application of the unfold / fold 
transformation strategy will be given later. 

In order to prove the correctness and the termination of our unfold/fold 
transformation strategy we need the following lemmas whose proofs are mutually 
dependent. 

Lemma 2. During the application of the unfold/fold transformation strategy, 
TransfP is a regular natset-typed program. 

Proof. Initially, TransfP is the regular natset-typed program P. Now we assume 
that TransfP is a regular natset-typed program and we show that after an ex- 
ecution of the body of the FOR statement, TransfP is a regular natset-typed 
program. 

First we prove that after the execution of the WHILE statement, TransfP is 
a regular natset-typed program. In order to prove this, we show that every new 
clause E which is added to TransfP at Point (3) of the strategy is a regular 
natset-typed clause. 

Clause E is derived from a clause D of InDefs by unfolding (according to 
the Unfolding phase) and by folding (according to the Definition- Folding phase) . 
By Lemma is a natset-typed definition of the form p{Xi, . . . ,Xk) <— Ti A 
. . . ATr ALi A . . .Aim. By unfolding w.r.t. the type atoms Ti, . . . ,Tr (according 
to Point (i) of the Unfolding phase) we get clauses of the form p{hi, . . . , hk) <— 
T[A. . .AT^iAL'^A. . -AL^j, where: {a) hi, . . . ,hk are head terms, (b) p{hi, . . . , hk) 
is a linear atom (because Xi , . . . , Xk are distinct variables) , and (c) for i = 
1, . . . , m, no argument of L'^ is a variable. By the inductive hypothesis TransfP 
is a regular natset-typed program and, therefore, by unfolding w.r.t. the literals 
L[,. . . , L'^ (according to Points (ii) and (iii) of the Unfolding phase) we get 
clauses of the form D' : p{hi, . . . ,hk) ^ T{ A . . . AT^^ A L'{ A . . . A L'^^. Either 
D' is a unit clause or, by folding according to the Definition-Folding phase, it 
is replaced by p{hi, . . . , hk) <— newp{Xi, . . . , Xm) where Xi, . . . , Xm are the 
distinct, non-existential variables occurring in bd{D'). Hence, E is either a unit 
clause of the form p(/ii, . . . , hk) ^ or a clause of the form p{hi, . . . , hk) <— 
newp{Xi, . . . , Xm), where {Xi, . . . , Xm\ C vars{hi, . . . , hk). Thus, E is a regular 
natset-typed clause. 

We conclude the proof by observing that if we apply the propositional simpli- 
fication rule to a natset-typed program, then we derive a natset-typed program. 
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because by this rule we can only delete clauses or add natset-typed clauses of the 
form p Thus, after an execution of the body of the FOR statement, TransfP 
is a regular natset-typed program. □ 

Lemma 3. During the application of the unfold/fold transformation strategy, 
InDefs is a set of natset-typed definitions. 

Proof. Let us consider the i-th execution of the body of the FOR statement. 
Initially, InDefs is the singleton set {Di} of natset-typed definitions. Now we 
assume that InDefs is a set of natset-typed definitions and we prove that, after 
an execution of the while statement, InDefs is a set of natset-typed definitions. 
It is enough to show that every new clause E which is added to InDefs at 
Point (3) of the strategy, is a natset-typed definition. By the Folding phase 
of the strategy, E is a. clause of the form newplXi, . . . ,Xk) ^ B where B is 
the body of a clause derived from a clause D of InDefs by unfolding. By the 
inductive hypothesis, D is a natset-typed definition of the form p{Xi, . . . ,Xk) ^ 
Ti A . . . A Tr A Li A . . . A i^. By unfolding w.r.t. the type atoms Ti, . . . ,Tj. 
(according to Point (i) of the Unfolding phase) we get clauses of the form D' : 
p{hi, ...,hk)<~ T{A. . .AT/iAL'iA. . .AL'^, where vars{D') C ws(T{A. . .AT/i). 
Since, by Lemma |2l TransfP is a regular natset-typed program, by unfolding 
w.r.t. the literals L'^, . . . , L'^ (according to Points (ii) and (iii) of the Unfolding 
phase) we get clauses of the form D" : p{hi, .. .,hk) ^ T[A. . .AT^^^Ai'/A. . .AL^^ 
where vars{D") C vars{T[ A ... A T!/i). Thus, i? is a natset-typed definition of 
the form newp{Xi, . . . , Xk) ^ T{ A . . . A T^^ A L'{ A . . . A L'^^ with vars{E) C 
vars{T[A...AT^^). 

We conclude the proof by observing that the Prepositional Simplification 
phase does not change InDefs, and thus, after the execution of the body of the 
FOR statement, InDefs is a set of natset-typed definitions. □ 

Theorem 4. Let P and Di, . . . ,Ds be the input program and the input hier- 
archy, respectively, of the unfold/fold transformation strategy and let TransfP 
be the output of the strategy. Then, 

(1) TransfP is a natset-typed program; 

(2) for every nullary predicate p, Def*{p, TransfP) is either or {p ^}; 

(3) for all ground terms ti, . . . ,tn, 

(3.1) M{PiJ{D^,...,Ds}) h/(ii,...,i„) m M [TransfP) ^ f{h,...,t^)- 

(3.2) TransfP terminates for the query f{ti, . . . , i„). 

Proof. Point (1) is a straightforward consequence of Lemma|21 

For Point (2), let us notice that, by Lemma[2l at each point of the unfold/fold 
transformation strategy TransfP is a natset-typed program and therefore, by 
LemmaQ] for every nullary predicate p, Def*{p, TransfP) is propositional. Since 
the last step of the unfold/fold transformation strategy consists in applying to 
TransfP the propositional simplification rule for each predicate having a propo- 
sitional extended definition, Def*{p, TransfP) is either or {p <— }. 
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Point (3.1) will be proved by using the correctness of the transformation rules 
w.r.t. the Perfect Model semantics (see Theorem EJ. Let us first notice that the 
unfold/fold transformation strategy generates a transformation sequence (see 
Sectional, where: the initial program is P, the final program is the final value of 
TransfP, and the set of clauses introduced by the definition rule Rl is the final 
value of Defs. 

To see that our strategy indeed generates a transformation sequence, let us 
observe the following facts (A) and (B): 

(A) The addition of InDefs to TransfP at the beginning of each execution of 
the body of the FOR statement is an application of the definition rule. Indeed, 
for i = 1, . . . s, InDefs — {Di} and, by the hypotheses on the input sequence 
Di, . . . , Ds, we have that the head predicate of Di does not occur in the current 
value of P U Defs. 

(B) When we unfold the clauses of Ui w.r.t. negative literals, we have that: 
(B.l) Condition (i) of Case (2) of the unfolding rule (see Section^ is satisfied 
because: 

(a) Every clause D of InDefs is a natset-typed definition (see Lemma ISJ and, 
thus, for each variable X occurring in D there is a type atom of the form a{X) 
in hd[D). Since we unfold the clauses of InDefs w.r.t. all the atoms which occur 
positively in the bodies of the clauses in InDefs, and in particular, w.r.t. type 
atoms, every argument of a negative literal in the body of a clause of J7i is of 
one of the following forms: 0, s{n), [], [y\S], \p\S]. 

(b) For each negative literal ^_p(ii, ■ ■ ■ ,tk) in the body of a clause of Ui, the 
definition of p is a subset of the regular natset-typed program TransfP (see 
Lemma 121 and, hence, the head of a clause in TransfP is a linear atom of the 
form p{hi, . . . , /ifc), where hi, . . . ,hk are head terms (see the definition of regular 
natset-typed clauses above). 

From (a) and (b) it follows that if p{ti, . . . ,tk) is unifiable with p{hi, . . . , hk) 
then p{ti, . . . ,tk) is an instance of p{hi, . . . , hk). 

(B.2) Condition (ii) of Case (2) of the unfolding rule is satisfied because TransfP 
is a regular natset-typed program (see Lemma|2j and, thus, no clause in TransfP 
has existential variables. 

Now, the transformation sequence constructed by the unfold/fold transfor- 
mation strategy satisfies the hypothesis of Theorem El Indeed, let us consider a 
clause D which is used for folding a clause C. Since C has been derived at the 
end of the Unfolding phase, no ground literal occurs in bd{C) and, thus, there 
is at least one variable occurring in D. Hence, there is at least one type atom in 
hd{D), because is a natset-typed definition (see LemmaEJ. Therefore, during 
an application of the unfold/fold transformation strategy (before or after the 
use of D for folding), D is unfolded w.r.t. a type atom (see Point (i) of the Un- 
folding phase). Thus, by TheoremEl we have that M{P\JDefs) = M{TransfP), 
where by Defs and TransfP we indicate the values of these variables at the end 
of the unfold/fold transformation strategy. Observe that Def*{f,P U Defs) = 
Def*{f, P U {Di, Ds}) and, therefore, M{P U {-Di, . . . , D J) h fih, . . . , t„) 
iff M{P U Defs) ^ f{ti, ...,tn)m M (TransfP) h fih, . . . ,i„). 
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Finally, let us prove Point (3.2). We consider the following two cases: 
(n = 0) / is nullary and hence, by Point (2) of this theorem, Def*{f, TransfP) 
is either or {/ ^}. Thus, TransfP terminates for the query /. 
{n > 0) By Point (1) of this theorem, TransfP is a natset-typed program and 
thus, by LemmaQl TransfP terminates for the ground query f{ti, . . . ,tn)- □ 

Theorem 5. The unfold/fold transformation strategy terminates. 

Proof. We have to show that the WHILE statement in the body of the FOR 
statement terminates. 

Each execution of the Unfolding phase terminates. Indeed, (a) the number of 
applications of the unfolding rule at Points (i) and (ii) is finite, because InDefs is 
a finite set of clauses and the body of each clause has a finite number of literals, 
and (b) at Point (iii) only a finite number of unfolding steps can be applied 
w.r.t. ground literals, because the program held by TransfP during the Unfolding 
phase terminates for every ground query. To see this latter fact, let us notice that, 
by Lemma[2l TransfP is a natset-typed program. Thus, by Lemma^ TransfP 
terminates for any ground query . . . , tn) with n > 1. For a ground query p, 
where p is a nullary predicate, TransfP terminates because Def* {p, TransfP) is 
either the empty set or it is the singleton {p Indeed, this follows from our 
assumptions on the input program and from the execution of the Propositional 
Simplification phase after completion of the while statement. 

Each execution of the Definition-Folding phase terminates because a finite 
number of clauses are introduced by definition and a finite number of clauses are 
folded. 

Thus, in order to show that the strategy terminates, it is enough to show 
that after a finite number of executions of the body of the while statement, 
we get InDefs = 0. Let Defs^ and InDefs ^ be the values of Defs and InDefs, 
respectively, at the end of the j-th execution of the body of the WHILE statement. 
If the WHILE statement terminates after z executions of its body, then, for all 
j > z, we define Defsj to be Defs^ and InDefs ^ to be 0. We have that, for any 
j > 1, InDefs j = iff Defsj^i = Defsj. Since for all j > 1, Defsj_i C Defsj, 
the termination of the strategy will follow from the following property: 
there exists K > such that, for all j > 1, \DefSj\ < K (*) 
Let TransfP^, Defs^, and InDefs^ (C Defs^) be the values of TransfP , Defs, and 
InDefs, respectively, at the beginning of the execution of the while statement. 
By Lemma|3I for all j > 1, DefSj is a set of natset-typed definitions. Property (*) 
follows from the fact that, for all D £ DefSj, the following holds: 

(a) every predicate occurring in bd{D) also occurs in TransfP q U InDefs f^; 

(b) for every literal L occurring in bd{D), 

height{L) < max{height{M) | M is a literal in the body of a clause in Defs^} 
where the height of a literal is defined as the length of the maximal path from 
the root to a leaf of the literal considered as a tree; 

(c) \vars{D)\ < max{ wars (£>') | £>' is a clause in Defs^}; 

(d) no two clauses in DefSj can be made equal by one or more applications of the 
following transformations: renaming of variables, renaming of head predicates. 
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rearrangement of the order of the Uterals in the body, and deletion of dupHcate 
hterals. 

Recall that bd{D) is equal to hd{E') where E' is derived by unfolding (according 
to the Unfolding phase of the strategy) a clause E in TransfPQ U InDefs^ and E 
belongs to InDefSj. 

Now Property (a) is a straightforward consequence of the definition of the un- 
folding rule. 

Property (b) can be shown as follows. E is of the form newp{Xi, . . . , X^) ^ Ti A 
. . .ATr ALi A. . .ALm- By unfolding w.r.t. the type atoms Ti, . . . , T^. (according to 
Point (i) of the Unfolding phase) we get clauses of the form newp{hi, . . . , /i^) ^ 
T{ A . . . A T^i A L[ A ... A L'^, where /ii, . . . , /ifc are head terms and, for all 
i G {1, . . . , m}, height{L[) < height{Li) + 1. By Lemma[2l TransfPg is a regular 
natset-typed program and, therefore, by unfolding w.r.t. the literals L[, . . . , L'^ 
(according to Point (ii) of the Unfolding phase) we get clauses of the form 
newpihi, . .. ,hk) ^ T[A . . . AT^-^AL'l A . . . ALJ^^, where for all i £ {1, . . . 
there exists il £ {1, . . . , to}, such that height{L'l) — height{L[i) — 1. Thus, Prop- 
erty (b) follows from the fact that E' is derived by unfolding w.r.t. ground literals 
from a clause of the form newp{hi, . . . ,hk) ^ T{ A . . . A T^i A L" A ... A and 
every unfolding w.r.t. a ground literal does not increase the height of the other 
literals in a clause. 

Property (c) follows from Lemma 12 and the fact that by unfolding a clause E 
using regular natset-typed clauses we get clauses E' where vars{E') C vars{E). 
To see this, recall that in a regular natset-typed clause C every term has at 
most one variable and vars{bd{C)) C vars{hd{C)) and, thus, by unfolding, a 
variable is replaced by a term with at most one variable and no new variables 
are introduced. 

Finally, Point (d) is a consequence of Point (i) of the Definition-Folding phase 
of the unfold/fold strategy. □ 

6 Deciding WSIS via the Unfold/Fold Proof Method 

In this section we show that if we start from a closed WSIS formula (p, our 
synthesis method can be used for checking whether or not Af \= holds and, 
thus, our synthesis method works also as a proof method which is a decision 
procedure for closed WSIS formulas. 

If (/3 is a closed WSIS formula then the predicate / introduced when con- 
structing the set Cls{f,ipr), is a nullary predicate. Let TransfP be the program 
derived by the unfold/fold transformation strategy starting from the program 
NatSet U Cls{f,ipr)- As already known from Point (2) of Theorem 0) we have 
that Def*{f, TransfP) is either the empty set or the singleton {/ ^}. Thus, we 
can decide whether or not M \= ip holds by checking whether or not / <— belongs 
to TransfP . Since the unfold/fold transformation strategy always terminates, we 
have that our unfold/fold synthesis method is indeed a decision procedure for 
closed WSIS formulas. We summarize our proof method as follows. 
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The Unfold/Fold Proof Method. 

Let (fi he a closed WSIS formula. 

Step 1. We apply the typed Lloyd- Topor transformation and we derive the set 

Cls{f,ipr) of clauses. 

Step 2. We apply the unfold/fold transformation strategy and from the program 

Nat Set Li Cls{f,(pr) we derive a definite program TransfP. 

If the unit clause / ■*— belongs to TransfP then M \= else M \= -up. 

Now we present a simple example of appHcation of our unfold/fold proof 
method. 

Example 1. {An application of the unfold/fold proof method.) Let us consider 
the closed WSIS formula <p : \IX3Y X<Y . By applying the typed Lloyd- Topor 
transformation starting from the statement f ^ (p, we get the following set of 
clauses Cls{f, ipr)'- 

1. h{X) ^ nat{X) A na.t{Y)hX<Y 

2. nat(X) A ^h{X) 

3. f^^9 

Now we apply the unfold/fold transformation strategy to the program Nat Set 
and the following hierarchy of natset-typed definitions: clause 1, clause 2, clause 3. 
Initially, the program TransfP is NatSet. The transformation strategy proceeds 
left-to-right over that hierarchy. 

(1) Defs and InDefs arc both set to {clause 1}. 

(1.1) Unfolding. By unfolding, from clause 1 we get: 

4. h{0) ^ 

5. /i(0) ^ nat{Y) 

6. h{s{X)) ^ nat{X) A nat{Y)^X<Y 

(1.2) Definition- Folding. In order to fold the body of clause 5 we introduce the 
following new clause: 

7. newl <— uatiY) 

Clause 6 can be folded by using clause 1. By folding clauses 5 and 6 we get: 

8. /i(0) ^ newl 

9. hls{X)) ^ h{X) 

(1.3) At this point TransfP = NatSet U {clause 4, clause 8, clause 9}, Defs = 
{clause 1, clause 7}, and InDefs = {clause 7}. 

(1.4) By first unfolding clause 7 and then folding using clause 7 itself, we get: 

10. newl <— 

11. newl ^ newl 

No new clause is introduced (i.e., NewDefs = 0). At this point TransfP = 
NatSet U {clause 4, clause 8, clause 9, clause 10, clause 11}, Defs = {clause 3, 
clause 7}, and InDefs — 0. Thus, the WHILE statement terminates. 
Since Def* {newl, TransfP) is propositional and M{TransfP) |= newl, by the 
propositional simplification rule we have: 
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TransfP = NatSet U {clause 4, clause 8, clause 9, clause 10}. 

(2) Defs is set to {clause 1, clause 2, clause 7} and InDefs is set to {clause 2}. 

(2.1) Unfolding. By unfolding, from clause 2 we get: 

12. g ^ nat{X) A -^h{X) 
(Notice that, by unfolding, clause g ^ -^h{Q) is deleted.) 

(2.2) Definition-Folding. Clause 12 can be folded by using clause 2 which occurs 
in Defs. Thus, no new clause is introduced (i.e., NewDefs = 0) and by folding 
we get: 

13. 

(2.3) At this point TransfP — NatSet U {clause 4, clause 8, clause 9, clause 10, 
clause 13}, Defs — {clause 1, clause 2, clause 7}, and InDefs — %. Thus, the 
WHILE statement terminates. 

Since Def*{g, TransfP) is propositional and M (TransfP) \= ^g, by the preposi- 
tional simplification rule we delete clause 13 from TransfP and we have: 
TransfP = NatSet U {clause 4, clause 8, clause 9, clause 10}. 

(3) Defs is set to {clause 1, clause 2, clause 3, clause 7} and InDefs is set to 
{clause 3}. 

(3.1) Unfolding. By unfolding clause 3 we get: 
14./^ 

(Recall that, there is no clause in TransfP with head g.) 

(3.2) Definition- Folding. No transformation steps are performed on clause 14 
because it is a unit clause. 

(3.3) At this point TransfP = NatSet U {clause 4, clause 8, clause 9, clause 10, 
clause 14}, Defs = {clause 1, clause 2, clause 3, clause 7}, and InDefs = 0. 
The transformation strategy terminates and, since the final program TransfP 
includes the unit clause / we have proved that Af ^ \/X3Y X<Y. 

We would like to notice that neither SLDNF nor Tabled Resolution (as im- 
plemented in the XSB system [?]) are able to construct a refutation of NatSetU 
Cls{f,(pr) U {<— /} (and thus construct a proof of ip), where is the WSIS 
formula VX 3Y X < Y. Indeed, from the goal <— f we generate the goal <— ^g, 
and neither SLDNF nor Tabled Resolution are able to infer that <— -^g succeeds 
by detecting that ^ g generates an infinite set of failed derivations. □ 

We would like to mention that some other transformations could be applied 
for enhancing our unfold/fold transformation strategy. In particular, during the 
strategy we may apply the subsumption rule to shorten the transformation pro- 
cess by deleting some useless clauses. For instance, in Example we can delete 
clause 5 which is subsumed by clause 4, thereby avoiding the introduction of the 
new predicate newl. In some other cases we can drop unnecessary type atoms. 
For instance, in Example ^ in clause 1 the type atom nat{X) can be dropped 
because it is implied by the atom X<Y . The program derived at the end of the 
execution of the WHILE statement of the unfold/fold transformation strategy are 
nondeterministic, in the sense that an atom with non-variable arguments may be 
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unifiable with the head of several clauses. We can apply the technique for deriv- 
ing deterministic program presented in [?] for deriving deterministic programs 
and thus, obtaining smaller programs. 

When the unfold/fold transformation strategy is used for program synthesis, 
it is often the case that the above mentioned transformations also improve the 
efficiency of the derived programs. 

Finally, we would like to notice that the unfold/fold transformation strategy 
can be applied starting from a program P U Cls{f,ipT-) (instead of NatSet U 
Cls{f, ipr)) where: (i) P is the output of a previous application of the strategy, 
and (ii) (p is s, formula built like a WSIS formula, except that it uses predi- 
cates occurring in P (besides < and €). Thus, we can synthesize programs (or 
construct proofs) in a compositional way, by first synthesizing programs for sub- 
formulas. We will follow this compositional methodology in the example of the 
following Section 

7 An Application to the Verification of Infinite State 
Systems: the Dynamic Bakery Protocol 

In this section we present an example of verification of a safety property of 
an infinite state system by considering CLP(WSIS) programs [?]. As already 
mentioned, by applying our unfold/fold synthesis method we will then translate 
CLP(WSIS) programs into logic programs. 

The syntax of CLP(WSIS) programs is defined as follows. We consider a set of 
user-defined predicate symbols. A CLP(WSIS) clause is of the form A ^ AG, 
where A is an atom, ip is a formula of WSIS, G is a goal, and the predicates 
occurring in A or in G are all user-defined. A CLP(WSIS) program is a set of 
CLP(WSIS) clauses. We assume that CLP(WSIS) programs are stratified. 

Given a CLP(WSIS) program P, we define the semantics of P to be its 
perfect model, denoted M{P) (here we extend to CLP(WSIS) programs the 
definitions which are given for normal logic programs in [?]). 

Our example concerns the Dynamic Bakery protocol, called DBakery for 
short, and we prove that it ensures mutual exclusion in a system of processes 
which share a common resource, even if the number of processes in the system 
changes during a protocol run in a dynamic way. The DBakery protocol is a 
variant of the TV-process Bakery protocol [?]. 

In order to give the formal specifications of the DBakery protocol and its 
mutual exclusion property, we will use CLP(WSIS) as we now indicate. The 
transition relation between pairs of system states, the initial system state, and 
the system states which are unsafe (that is, the system states where more than 
one process uses the shared resource) are specified by WSIS formulas. However, 
in order to specify the mutual exclusion property we cannot use WSIS formulas 
only. Indeed, mutual exclusion is a reachability property which is undecidable 
in the case of infinite state systems. The approach we follow in this example is 
to specify reachability (and, thus, mutual exclusion) as a CLP(WSIS) program 
(see the program PoBakery below). 
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Let us first describe tiie DBakery protocol. We assume that every process is 
associated with a natural number, called a counter, and two distinct processes 
have distinct counters. At each instant in time, the system of processes is repre- 
sented by a pair {W, U), called a system state, where W is the set of the counters 
of the processes waiting for the resource, and U is the set of the counters of the 
processes using the resource. 

A system state {W, U) is initial \S.W iMJ is the empty set. 

The transition relation from a system state (Wi U) to a new system state 
(W' , U') is the union of the following three relations: 

(Tl: creation of a process) 
if M^UC/is empty i/ien {W ,U') = ({O},0) else {W ,U') = {WVJ{m+l}, U), 
where m is the maximum counter mW yjU , 

(T2: use of the resource) 

if there exists a counter n'mW which is the minimum counter mW \JU 
then {W, U') = {W-{n}, U U {n}), 

(T3: release of the resource^ 

if there exists a counter ninU then {W , U') — (W, U~{n}). 

The mutual exclusion property holds iff from the initial system state it is not 
possible to reach a system state (W, U) which is unsafe, that is, such that U is 
a set of at least two counters. 

Let us now give the formal specification of the DBakery protocol and its 
mutual exclusion property. We first introduce the following WSIS formulas (be- 
tween parentheses we indicate their meaning): 

empty (X) = ->3x x€X 
(the set X is empty) 

max{X,m) = mGX A Va; {xeX x<m) 
(m is the maximum in the set X) 

min{X,m) = m&X A\/x {x&X m<x) 
(m is the minimum in the set X) 

(Here and in what follows, for reasons of readability, we allow ourselves to use 
lower case letters for individual variables of WSIS formulas.) 
A system state {W, U) is initial \Q N \= init{(yV, U)), where: 

init{{W,U)) = empty{W) A empty{U) 

The transition relation R between system states is defined as follows: 

{{W,U), {W',U')) eRiS 

Af 1= cre{{W, U) , {W , U')) V use{{W, U) , {W , U')) V rel{{W, U) , {W , U')) 

where the predicates ere, use, and rel define the transition relations Tl, T2, and 
T3, respectively. We have that: 
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cre{{W,U), {W',U')) = U'^U A 3Z{Z = WUUA 
((empi2/(Z) A W^' = {0})V 

{^empty{Z) A 3m {max{Z,m) A W = WU{s{m)})))) 

use{{W,U), {W',U')) = 3n{ne W A3Z {Z = W U U A min{Z,n)) A 
W'^W-{n} A U' = UU{n}) 

rel{{W,U), {W',U')) = W A3n{ne U AU' = U-{n}) 

where the subformulas involving the set union (U), set difference (— ), and set 
equaUty (=) operators can be expressed as WSIS formulas. 

Mutual exclusion holds in a system state {W,U) iff AA |= -^unsafe{{W,U)), 
where unsafe{{W,U)) = 3ni3n2 {nidU A n2^U A ~^{ni^n2)), i.e., a system 
state {W, U) is unsafe iff there exist at least two distinct counters in U . 

Now we will specify the system states reached from a given initial system state 
by introducing the CLP(WSIS) program PoBakery consisting of the following 
clauses: 

reaches) ^ init{S) 
reach{Sl) 4— cre{S, SI) A reach{S) 
reach{Sl) ^ use{S,Sl) A reach{S) 
reach{Sl) ^ rel{S, SI) A reach{S) 

where init(S), cre{S,Sl), use{S, SI), and rel{S,Sl) are the WSIS formulas 
Hsted above. 

From PoBakery wc dcrivc a definite program P'^gakery replacing the WSIS 
formulas occurring in PoBakery by the corresponding atoms init{S), cre{S,Sl), 
use{S, SI), and rel{S, SI), and by adding to the program the clauses (not listed 
here) defining these atoms, which are derived from the corresponding WSIS for- 
mulas listed above, by applying the unfold/fold synthesis method (see Section|^. 
Let us call these clauses Init, Cre, Use, and Rel, respectively. 

In order to verify that the DBakery protocol ensures mutual exclusion for 
every system of processes whose number dynamically changes over time, we 
have to prove that for every ground term s denoting a finite set of counters, 
ur{s) ^ M{P'DBakery ^ {clauscl}), whcrc clausc 1 is the following clause which 
we introduce by the definition rule: 

1. ur{S) ^ unsafe{S) A reach{S) 

and unsafe{S) is defined by a set, called Unsafe, of clauses which are derived from 
the corresponding WSIS formula by using the unfold/fold synthesis method. 

In order to verify the mutual exclusion property for the DBakery protocol 
it is enough to show that P'oBakery ^ {clause 1} can be transformed into a new 
definite program without clauses for ur{S). This transformation can be done, 
as we now illustrate, by a straightforward adaptation of the proof technique 
presented for Constraint Logic Programs in [?]. In particular, before performing 
folding steps, we will add suitable atoms in the bodies of the clauses to be folded. 

We start off this verification by unfolding clause 1 w.r.t. the atom reach. We 
obtain the following clauses: 

2. ur{S) ^ unsafe{S) A init{S) 
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3. ur{Sl) ^ unsafe{Sl) A cre(5, 51) A reach[S) 

4. ur{Sl) <— unsafe{Sl) A use{S,S\) A reach{S) 

5. Mr(S'l) <— unsafe{Sl) A rel{S,Sl) A reach(S) 

Now we can remove clause 2 because 

M{Unsafe U /m<) |= ^35" {unsafe{S) A imt{S)). 

The proof of this facts and the proofs of the other facts we state below, are 
performed by applying the unfold/fold proof method of Sectional Then, we fold 
clauses 3 and 5 by using the definition clause 1 and we obtain: 

6. ur{Sl) ^ unsafe{Sl) A creiS,Sl) A ur{S) 

7. urlsi) <- unsafe{Sl) A rel{S,Sl) A ur{S) 

Notice that this application of the folding rule is justified by the following two 
facts: 

M {Unsafe [J Cre) ^VS'VS'l {unsa}e{Sl) A cre{S,Sl) -> unsa}e{S)) 
IVllunsafeU Rel) ^VS^Sl {unsafe{Sl) A rel{S,Sl) unsafe{S)) 

so that, before folding, we can add the atom unsafe{S) to the bodies of clauses 
3 and 5. Now, since M{Unsafe U Use) h -VS-VS*! {unsafe{Sl) A use{S, SI) 
unsafe{S)), clause 4 cannot be folded using the definition clause 1. Thus, we 
introduce the new definition clause: 

8. pl{S) ^ c{S) A reach{S) 

where c((W",f/}) = 3n {neWA3Z{Z = WUU Amin{Z,n))) A -^empty{U) which 
means that: in the system state {W, U) there is at least one process which uses 
the resource and there exists a process waiting for the resource with counter n 
which is the minimum counter mWiJU. 

Notice that, by applying the unfold/fold synthesis method, we may derive a 
set, called Busy (not listed here), of definite clauses which define c{S). 
By using clause 8 we fold clause 4, and we obtain: 

9. ur{Sl) <- unsa}e{Sl) A use{S,Sl) A pl{S) 

We proceed by applying the unfolding rule to the newly introduced clause 8, 
thereby obtaining: 

10. pl{S) ^ c{S) A init{S) 

11. pl(5'l) ^ 0(5*1) A cre(5,51) A reach{S) 

12. pl(51) ^ c(51) A use{S,Sl) A reach{S) 

13. pl(51) <- c(51) A rel{S,Sl) A reach{S) 

Clauses 10 and 12 are removed, because 

M{Busy U Init) [= ^35 (c(5) A imt{S)) 
M{Busy U Use) [= ^3S 351 (c(51) A use{S, 51)) 

We fold clauses 11 and 13 by using the definition clauses 8 and 1, respectively, 
thereby obtaining: 

14. pl(51) ^ c(51) A cre(5,51) A pl{S) 

15. pl\si) ^ c(51) A re/(5,51) A ur{S) 

Notice that this application of the folding rule is justified by the following two 
facts: 
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M{BusyliCre) h V^VS*! ((c(51) A cre{S,Sl)) c{Sj) 
M{BusyURel) h ^S^Sl ((c(51) A rel{S,Sl)) ^ unsafe{S)) 

Thus, starting from program P{35„j,g^j^U{clause 1} we have derived a new pro- 
gram Q consisting of clauses 6, 7, 14, and 15. Since all clauses in Def*{ur,Q) 
are recursive, we have that for every ground term s denoting a finite set of coun- 
ters, ur{s) ^ M{Q) and by the correctness of the transformation rules [?], we 
conclude that mutual exclusion holds for the DBakery protocol. 

8 Related Work and Conclusions 

We have proposed an automatic synthesis method based on unfold/fold pro- 
gram transformations for translating CLP(WSIS) programs into normal logic 
programs. This method can be used for avoiding the use of ad-hoc solvers for 
WSIS constraints when constructing proofs of properties of infinite state multi- 
process systems. 

Our synthesis method follows the general approach presented in [?] and it 
terminates for any given WSIS formula. No such termination result was given 
in [?]. In this paper we have also shown that, when we start from a closed WSIS 
formula our synthesis strategy produces a program which is either (i) a unit 
clause of the form / where / is a nullary predicate equivalent to the formula 
if, or (ii) the empty program. Since in case (i) (p is true and in case (ii) ip is false, 
our strategy is also a decision procedure for closed WSIS formulas. This result 
extends [?] which presents a decision procedure based on the unfold/fold proof 
method for the clausal fragment of the WSkS theory, i.e., the fragment dealing 
with universally quantified disjunctions of conjunctions of literals. 

Some related methods based on program transformation have been recently 
proposed for the verification of infinite state systems [?,?]. However, as it is 
shown by the example of Section [3 an important feature of our verification 
method is that the number of processes involved in the protocol may change over 
time and other methods find it problematic to deal with such dynamic changes. 
In particular, the techniques presented in [?] for verifying safety properties of 
parametrized systems deal with reactive systems where the number of processes 
is a parameter which does not change over time. 

Our method is also related to a number of other methods which use logic 
programming and, more generally, constraint logic programming for the verifi- 
cation of reactive systems (see, for instance, [?,?,?,?] and [?] for a survey). The 
main novelty of our approach w.r.t. these methods is that it combines logic pro- 
gramming and monadic second order logic, thereby modelling in a very direct 
way systems with an unbounded (and possibly variable) number of processes. 

Our unfold/fold synthesis method and our unfold/fold proof method have 
been implemented by using the MAP transformation system [?]. Our implemen- 
tation is reasonably efficient for WSIS formulas of small size (see the example 
formulas of SectionCJ. However, our main concern in the implementation was not 
efficiency and our system should not be compared with ad-hoc, well-established 
theorem provers for WSIS formulas based on automata theory, like the MONA 
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system [?]. Nevertheless, we believe that our technique has its novelty and de- 
serves to be developed because, being based on unfold/fold rules, it can easily be 
combined with other techniques for program derivation, speciaHzation, synthesis, 
and verification, which are also based on unfold/fold transformations. 
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